Trust Assessment
prompt-assemble received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Incomplete critical function prevents security analysis.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Incomplete critical function prevents security analysis The `_estimate_tokens` function, which is critical for the skill's token safety mechanism and processes user-controlled input, is truncated in the provided `scripts/prompt_assemble.py` file. This prevents a complete security analysis for potential command injection, data exfiltration, or supply chain risks within this function. Without the full implementation, it's impossible to verify how user input is handled during token estimation, especially concerning external calls or unsafe operations. Provide the complete source code for the `_estimate_tokens` function to allow for a thorough security review. Ensure that token estimation does not involve external process execution (e.g., `subprocess`, `os.system`, `eval`) or network calls with unsanitized user input. If external libraries are used, ensure they are properly pinned and vetted. | LLM | scripts/prompt_assemble.py:135 |
Scan History
Embed Code
[](https://skillshield.io/report/a643019974466915)
Powered by SkillShield